Security

Best way to segregate hosts

romainbouajila
Path Finder

Dear all,

I'm in the process of grouping hosts by location. I would like it to be based on the hostname.

The goal is to limit users and show them only logs they're supposed to have access to.

I managed to add a tag to an event type, and then I discovered it is possible to add metadata to events.

Is it possible to segregate access this way too ? What is the best practice for this ?

Thanks in advance

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @romainbouajila,

in Splunk access to data is managed only at index level, so if you want to segregate access to logs of a group of hosts, you have to put the logs from these servers in a dedicated index, so you can enable only one or more roles to access this index.

You can do this in two ways:

  • creating different TAs for each group and in each inputs.conf you put the name od the related index,
  • overrideng the index on the Indexers (or eventually on Heavy Forwarders if present) using props.conf and transforms.conf.

To override index on Indexers, you have to create:

props.conf

[host::yourhost]
TRANSFORMS-override_host = override_host 

transforms.conf

[override_host]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = your_host

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @romainbouajila,

in Splunk access to data is managed only at index level, so if you want to segregate access to logs of a group of hosts, you have to put the logs from these servers in a dedicated index, so you can enable only one or more roles to access this index.

You can do this in two ways:

  • creating different TAs for each group and in each inputs.conf you put the name od the related index,
  • overrideng the index on the Indexers (or eventually on Heavy Forwarders if present) using props.conf and transforms.conf.

To override index on Indexers, you have to create:

props.conf

[host::yourhost]
TRANSFORMS-override_host = override_host 

transforms.conf

[override_host]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = your_host

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @romainbouajila,

good for You.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...